skip to content

JavaScript: Protecting mailto links

 Tweet0 Shares0 Tweets

In the last few years we have seen the rise of 'email harvesters' and 'spambots' - robots or spiders that are programmed specifically to harvest email addresses from your website for the purpose of sending spam email.

Email link obfuscation

For webmasters, this means that you can no longer have an email address appear on your website (even just in the HTML code) without exposing yourself to spammers. Even a single page with your email address is enough to trigger an avalanche of spam - and there's no way to put the genie back in the bottle without changing your email address.

If you have access to server-side scripting then an email form can replace the email links (our Feedback form is a good example), but some people are reluctant to use forms as they can be seen as 'impersonal' and you can't always be confident that your message was received by a human being.

It would be nice if we could display an email link without the danger of having it harvested. Because of the nature of the WWW, once you make your email addresses harder to extract than the majority of sites, noone's going to bother (at least not for a while) writing a spambot just to extract yours.

That's where JavaScript comes in handy.

Sample output

Obfuscate your email address

Copy the code directly from the samples below to your site where you want the email link to appear.

Simple encoding:

<script type="text/javascript"> document.write("<a href=\"mail" + "to:" + new Array("","").join("@") + "\">" + new Array("","").join("@") + "</" + "a>"); </script>

Advanced encoding:

Copy and paste this code into your HTML for a secure email link:

<script type="text/javascript">eval(unescape("%6e%75%61%75%75%37%37%3d%5b%27%25%37%39%25%36%66%25%37%35%25%37%32%25%32%65%25%36%65%25%36%31%25%36%64%25%36%35%27%2c%5b%27%25%36%65%25%36%35%25%37%34%27%2c%27%25%36%35%25%37%38%25%36%31%25%36%64%25%37%30%25%36%63%25%36%35%27%5d%2e%72%65%76%65%72%73%65%28%29%2e%6a%6f%69%6e%28%27%2e%27%29%5d%2e%6a%6f%69%6e%28%27%40%27%29%3b%69%62%76%69%74%35%37%3d%75%6e%65%73%63%61%70%65%28%6e%75%61%75%75%37%37%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%69%62%76%69%74%35%37%2e%6c%69%6e%6b%28%27%6d%61%69%27%2b%27%6c%74%6f%3a%27%2b%6e%75%61%75%75%37%37%29%29%3b"));</script>

This new algorithm has been created to be significantly more difficult to reverse engineer than the basic version above which was already cracked by at least one group of spammers.

The advanced version was released into the wild in December 2005 and so far there are no indications that it's been cracked by an automated script. Manual copying of the address is of course always possible.

Update: Google is now indexing email addresses that appear in this format (see below).

Known limitations

While we're finding better ways of protecting email addresses, the harvesters are also working on better algorithms for detecting them. That means that the algorithms used on this page may only have a limited lifespan and should not be relied on to protect your email addresses forever.

We suggest you use a single PHP (or equivalent) function to display all email links on your site/server. That way if you think the encryption (or 'obfuscation' in this case) has been compromised you can immediately change to a different algorithm - more complicated JavaScript or a generated graphic for example.

If you need to cater for users with non-JavaScript browsers your best option is to provide a form that sends email via a server-side script.

Now parsed by Google

In a surprising turn of events it seems that Googlebot has now cracked our algorithm. Search for an email address that appears in obfuscated format now returns the page in question.

The email address is not highlighted in the SERP text snippet as it is for plain text links, however, and in the cached version of the page the text at the top says only These terms only appear in links pointing to this page (whish isn't actually the case). In the text version of the cached page the email address doesn't show up at all.

< JavaScript

Send a message to The Art of Web:

used only for us to reply, and to display your gravatar.


<- copy the digits from the image into this box

press <Esc> or click outside this box to close

User Comments

Post your comment or question

22 July, 2008

Hi, the Smarty ( have a function that encode mail address very nice too.

I checked out the Smarty encoding on this page and it really isn't that good. Most spambots can already crack at least the first two options using just unescape for the first or html_entity_decode followed by unescape for the second.

Ours (the advanced version) is much, much more secure